Case study: Weekly sweeps to spot any weaknesses for post service
By Dan Ilett
Published: 14 June 2005 11:25 GMT
The Royal Mail is tightening security practices by sweeping its networks for vulnerabilities on a weekly basis.
The postal service, which is starting to use more web-based business processes, has outsourced vulnerability and penetration testing to security company QinetiQ.
Martin Roe, Royal Mail's IT security manager, said: "What we were trying to achieve was periodic penetration tests five times a year. But they were quite irregular and I was worried about the gaps of time in between them."
Roe said he wanted more regular tests performed to ensure hackers stood no chance of breaking in: "I wanted to try and automate the process. I looked at vulnerability scans and we put it out to tender to see who could do this on a weekly basis instead of a few times a year."
He said vulnerability scanning on individual products was taking up valuable time for his staff, so the company opted for three services: QinetiQ's Managed Vulnerability Assessment and Alerting Service, a general security health check, and Qualys' Automated Scanning Service.
QinetiQ packaged the services to guard against the threats deemed to be most severe to Royal Mail.
Roe said he now receives weekly status reports with advice on any action his team needs to take, such as which software patches to apply. As a result, staff can focus on other areas of IT: "I'm now getting the sort of information I need. It follows my business logic. QinetiQ haven't an axe to grind and will provide me with straight facts. One of the nice things about it is I can set service level agreements with vendors."
QinetiQ's tests found Royal Mail's networks were more secure than Roe had thought: "It wasn't as bad as I was expecting it to be. We can spot things so much more quickly now. We now know the infrastructure is fairly sound so we can focus on applications."
Roe said he was happy with QinetiQ's work, and could even trust their staff like one of his own: "I have a rising endorsement for them. If I have a request beyond what they are obliged to do, they drop everything to do it. It's like having an employee at the end of the phone."
Mobile device testing, Ethical Hacking, Security testing, Vulnerability scanning. Able to utilise a range of network security testing tools and ...
An immediate opening has arisen for a penetration / Vulnerability tester who also has a broad general Info sec background. The primary focus of the ...
Change ManagementVisio Diagram updateThe role will involve security administration, access management, performing regular vulnerability assessment ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business
Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business